CLAIMS 

What is claimed as new and desired to be protected by 
Letters Patent of the United States is: 

1 . A method for providing authorized remote access to one or 
more application sessions, the method comprising: 
requesting, by a client node, access to a resource; 
gathering, by a collection agent, information about the 
client node; 

receiving, by a policy engine, the gathered information; 
making, by a policy engine, an access control decision 
based on the received information; 
identifying one or more application sessions already 
associated with the user in response to the received 
information; and 

establishing, by a session server, a connection between a 
client computer operated by the user and the one or more 
application sessions identified in response to the received 
information. 

2. The method of claim 1 wherein step (a) further comprises 
requesting the resource over a network connection. 



3. The method of claim 1 wherein step (b) further comprises 
gathering the information over a network connection. 

4. The method of claim 1 wherein step (b) further comprises 
gathering information by executing at least one script on 
the client node. 

5. The method of claim 1 wherein step (d) further comprises 
determining if the received information satisfies a 
condition. 

6. The method of claim 5 further comprising determining if 
the received information satisfies a condition by comparing 
the received information to at least one condition. 

7. The method of claim 6 wherein step (d) further comprises 
making an access control decision by applying a policy to 
the condition. 

8. The method of claim 1 wherein a first one of the application 
sessions is running on a first server and a second one of 
the application sessions is running on a second server. 



9. The method of claim 1 wherein the step of establishing, by 
the session server, a connection between the client and the 
one or more application sessions is subject to a rule 
permitting the client computer operated by the user to 
connect to the one or more application sessions. 

10. The method of claim 1 wherein the connection between the 
user and the one or more application sessions is triggered 
by the selection of a single user interface element. 

1 1 . The method of claim 1 further comprising the step of 

« 

receiving, by a session server, a disconnect request to 
disconnect the first application session associated with the 
user and the second application session associated with the 
user; and disconnecting, by the session server, the first and 
second application sessions. 

1 2. The method of claim 1 1 further comprising updating, by 
the session server, at least one data record associated with 
the first and second application sessions to indicate that 
the first and second application sessions are disconnected. 



1 3. The method of claim 1 2 further comprising the step of 

continuing, by the session server, execution of at least one 
of the disconnected application sessions. 

1 4. The method of claim 1 wherein step (e) further comprises 
identifying, by the policy engine, one or more application 
sessions already associated with the user in response to the 
received information; and 

1 5. The method of claim 1 wherein step (e) further comprises 
consulting stored data associated with one or more servers 
executing application sessions. 

1 6. The method of claim 1 wherein step (e) further comprises 
consulting, by the session store, stored data associated 
with one or more servers executing application sessions. 

1 7. The method of claim 1 wherein step (e) further comprises 
consulting, by the policy engine, stored data associated 
with one or more servers executing application sessions. 

1 8. The method of claim 1 wherein the one or more application 
sessions was connected to a first client computer prior to 
connection and, after connection, the one or more 



application sessions is reconnected to the first client 
computer. 

1 9. The method of claim 1 wherein the one or more application 
sessions was associated with a first client computer prior to 
establishing the connection and, after establishing the 
connection, the one or more application sessions is 
connected to a second client computer. 

20. The method of claim 1 wherein at least one application 
session is disconnected. 

21 . The method of claim 1 wherein at least one application 
session is active. 

22. The method of claim 1 wherein the identifying one or more 
applications sessions is automatic upon receipt of 
authentication information. 

23. The method of claim 1 further comprising the step of 
providing for receiving application output from a one or 
more previously disconnected application sessions 
associated with the user in response to the transmitted 
information. 



24. The method of claim 23 further comprising disconnecting 
at least one active application session associated with the 
user in response to the received information. 

25. The method of claim 23 wherein the one or more active 
application sessions is initially connected to a first client 
computer and, upon requesting access to the resource, the 
user is operating a second client computer. 

26. The method of claim 23, wherein the receipt of application 
output from the one or more active application sessions is 
subject to a rule permitting the user to have a client 
computer operated by the user connect to the one or more 
active application sessions. 

27. The method of claim 23 wherein the receipt of application 
output from the one or more active application sessions 
and the receipt of application output from the one or more 
disconnected application sessions are triggered by the 
selection of a single user interface element. 

28. The method of claim 23 wherein the one or more 
disconnected application sessions was connected to a first 



client computer prior to disconnection and, at connection, 
the one or more disconnected application session is 
reconnected to the first client computer. 

29. The method of claim 23 wherein the one or more 
disconnected application sessions was connected to a first 
client computer prior to disconnection and, at connection, 
the one or more disconnected application session is 
connected to a second client computer. 

30. A system for providing authorized remote access to an 
application session, the policy engine comprising: 

a collection agent gathering information about the client 
node; and 

a policy engine receiving the gathered information, making 
an access control decision based on the received 
information, and requesting an enumeration of one or more 
application sessions associated with the client node, the 
request including the access control decision; and 
a session server generating an enumeration of one or more 
application sessions associated with the client node 
responsive to the access control decision. 



31 . The system of claim 30 wherein the collection agent 
executes on the client node. 

32. The system of claim 30 wherein the policy engine transmits 
the collection agent to the client node. 

33. The system of claim 30 wherein the policy engine transmits 
instructions to the collection agent determining the type of 
information the collection agent gathers. 

34. The system of claim 30 wherein the policy engine makes an 
access control decision based on applying a policy to the 
gathered information. 

35. The system of claim 30 wherein a first one of the 
application sessions is running on a first server and a 
second one of the application sessions is running on a 
second server. 

36. The system of claim 30 wherein the session server connects 
the client node to the one or more application sessions. 



37. The system of claim 36 wherein the connection of the client 
node to the one or more application sessions, is triggered 
by selection of a single user interface element. 

38. The system of claim 36 wherein the session server is also 
configured to receive a disconnect request to disconnect 
the first application session associated with the user and 
the second application session associated with the user and 
disconnect the first and second application sessions in 
response to the request. 
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39. The system of claim 38 wherein the session server is 
further configured to update at least one data record 
associated with each of the first and second application 
sessions to indicate that the first and second application 
sessions are disconnected. 

40. The system of claim 38 wherein the session server is 
further configured to continuing execution of at least one 
of the disconnected application sessions. 



41 . The system of claim 30 wherein the policy engine further 
comprises stored data associated with one or more servers 
executing application sessions. 

42. The system of claim 30 wherein the one or more application 
sessions was connected to a first client computer prior to 
connection and, after connection, the one or more 
application sessions is reconnected to the first client 
computer. 

43. The system of claim 30 wherein the one or more application 
sessions was associated with a first client computer prior to 
connection and, after connection, the one or more 
application sessions is connected to a second client 
computer. 

44. The system of claim 30 wherein at least one of the one or 
more application sessions is disconnected. 

45. The system of claim 30 wherein at least one of the one or 
more application sessions is active. 



